Ransomware hit at least 966 U.S. government agencies, educational establishments, and healthcare providers in 2019, at a cost possibly exceeding US$7.5 billion, Emisoft reported late last year.
The victims included 113 state and municipal governments and agencies; 764 healthcare providers; and 89 universities, colleges, and school districts. Operations at up to 1,233 individual schools were potentially affected.
The United States Coast Guard and oil and gas companies also were targeted.
The victims were hit hard, as the following sampling of consequences shows:
- Affected hospitals had to redirect emergency patients elsewhere;
- Medical records were rendered inaccessible and, in some cases, permanently lost;
- Surgical procedures had to be canceled, tests postponed, and admissions halted;
- Emergency services were interrupted;
- 911 dispatch centers were forced to rely on printed maps and paper logs to keep track of emergency responders in the field;
- Police officers were locked out of background check systems and prevented from accessing details about suspects’ criminal histories or active warrants;
- Surveillance systems were taken offline;
- Building access systems were knocked out;
- Online payment portals were taken out; and
- Schools could not access data about students’ allergies or medications.
Attackers have been launching more sophisticated attacks that are more difficult to prevent and demanding more money.
The average ransom payment in Q4 2019 was 104 percent greater than the average demand in Q3 — from about $42,000 to more than $84,000, Coveware found.
Further, ransomware attackers began exfiltrating data from victims and threatening to release it if their demands were not met, which could result in the addition of third-party claims to the remediation and containment costs victims must pay.
Coveware’s data comes from cases the firm has resolved directly, company CEO Bill Siegel told the E-Commerce Times. “We manage the cases and collect the data so we ensure the provenance.”
Quick and Easy Money
Ransomware incidents increased sharply in 2019.
Almost as many ransomware threats were detected in the first three months of 2019 as in the whole of 2018, Trend Micro reported.
The rise of Ransomware as a Service could explain why losses due to ransomware have been increasing, Fortinet suggested. Variants such as GandCrab generate as much as $2 billion in revenue for its developers.
Yet another reason could be that cybercriminals have been developing new ransomware variants.
Who’s in the Crosshairs
“All businesses are vulnerable at some level. It just depends on how diligent they are in identifying and remediating the vulnerabilities currently being exploited by ransomware perpetrators,” said Srinivas Mukkamala, CEO of RiskSense.
Recent data indicates states and city governments are the most vulnerable based on reported attacks, “but that’s simply a consequence of private enterprises not being required to report ransomware attacks,” he told the E-Commerce Times.
Critical infrastructure enterprises are not inherently any more or less vulnerable than other organizations, according to Mukkamala. “They just have far more serious consequences to deal with if their networks suffer a ransomware attack.”
The only criterion for ransomware attacks is “the criminal’s perception for the intended target to pay the ransom,” said David Jemmett, CEO of Cerberus Sentinel.
“It’s no different than a professional thief figuring out where the money is located,” he told the E-Commerce Times.
That said, the most vulnerable organizations are the ones that need information immediately or all work ceases, or there is the risk of loss of life and limb, such as those in healthcare, manufacturing, law enforcement and utilities, noted Erich Kron, security awareness advocate at KnowBe4.
“Some industries cannot afford any downtime, and this is a key point of leverage for cybercriminals,” he told the E-Commerce Times.
All About Money
Government organizations’ issues with security are longstanding, but it’s more a question of poor structure and inadequate funding than the competence of CIOs.
Back in 2015, the United States General Accountability Office released these findings:
- Many federal government CIOs also hold other high-level positions;
- 13 major areas of IT and information security are not always under their control;
- The CIOs don’t always have sufficient control over IT investments and often have limited influence over hiring and firing decisions and the performance of CIOs at subsidiary levels; and
- Only half the federal CIOs report directly to the heads of their respective agencies as required by law.
“At the state and local government levels, things are especially tough,” Kron pointed out. “Their budgets are stretched thin as it is, and there are any number of cyberthreats facing them in addition to ransomware.”
At the federal level, while there are more resources available, “the machine moves fairly slowly,” Kron said.
Still, the problem boils down to money. The biggest issue for the U.S. Army in trying to attract cyber talent “is the pay scale,” Kron remarked. “Even as a contractor, the salary scale is typically much lower than in the private sector, and this leaves some serious gaps in our cyber defense.”
The government is “notoriously underbudgeted for the onslaught of attacks, especially now that there are state-sponsored or government-funded attacks,” Cerberus’ Jemmett agreed.
“These sophisticated attacks are always improving daily, and most corporations or government bodies struggle to keep their assets updated and patched.”
That said, almost all cases of ransomware attacks succeeding are due to human error, Jemmett pointed out. “The most effective way of avoiding ransomware is to train staff to be aware of the dangers.”
There Oughta Be a Law
“Until Congress itself gets serious about cybersecurity from both a statutory and funding perspective, it’s not reasonable to expect government agency behavior and budget prioritization to change very much,” Mukkamala observed.
A bipartisan bill to establish a $400 million grant program at the U.S. Department of Homeland Security to help state and local governments combat cyber threats and potential vulnerabilities was introduced in the U.S. House of Representatives on Monday.
The House Homeland Security Committee is scheduled to hold a markup on the State and Local Cybersecurity Improvement Act Wednesday.
A similarly named bill was introduced in the House last August and referred to the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation in September.
The U.S. Senate in November approved bipartisan legislation to promote stronger cybersecurity coordination between the DHS and state and local governments.